There are often times when we might want to capture network packets for long periods but this isn't practical with Wireshark. Fortunately, the Wireshark suite does include a tool that can do it, and that tool is dumpcap.
I'm sure you've had the situation where you been asked to investigate a problem that only happens once a week. You'd love to get a packet capture when the problem occurs, but how? Wireshark has a ring buffer capability that could be used but there are problems:
- If the trace gets stopped due to a scheduled network change, who will restart it? Will the person on shift know how to restart Wireshark and can they be trusted to start it with the correct settings?
- As Wireshark runs it decodes packets and its data structures grow. This causes performance issues and eventually Wireshark may simply run out of virtual memory and crash.
Luckily there is a simple answer.
Capturing with Dumpcap
When you start a Wireshark capture, Wireshark actually starts a capture program called dumpcap. The great thing is that we can use dumpcap directly from the command line.
Dumpcap doesn't decode the packets as it captures and so ...